Sep 18 2014

NSTIC Pilots Tackle the Flaws of Online Passwords

The National Institute of Standards and Technology announced three pilot programs that will test digital options for authenticating Internet users and improving online registration for state services.

What if digital credentials could replace passwords for authenticating your identity online? And what if state-issued credentials such as driver’s licenses could be extended into the online world and used to register for government services?

These scenarios are being tested today through government-funded pilot programs designed to make online identity protections more private, secure and convenient.

The National Institute of Standards and Technology announced $3 million in grants for three organizations to test solutions that make it easier to minimize loss from online fraud, to apply for state services online and to use mobile devices instead of passwords for online authentication.

The pilots are part of a larger governmentwide initiative called the National Strategy for Trusted Identities in Cyberspace, which President Barack Obama launched in 2011. The goal is to create “a marketplace where all of us, within a few years, can choose from a variety of solutions to replace passwords and conduct transactions,” says Jeremy Grant, senior executive adviser for identity management and head of the NSTIC National Program Office.

So far, NIST has provided funding for 15 pilot programs, most of which last for two years, Grant notes. NIST uses performance-based budgeting to fund the pilots. The Commonwealth of Pennsylvania and the Michigan Department of Human Services have both received grants to launch pilot programs.

Addressing NSTIC Barriers

While there are solutions available today that are designed to replace passwords with stronger credentials, a host of challenges must first be addressed for these technologies to gain traction among online users and the organizations they interact with online. There are vendors that have great widgets, but there is no framework to ensure they are interoperable, Grant explains.

The Identity Ecosystem Steering Group, led by the private sector, is working on a solution. Members include officials from LexisNexis Risk Solutions, the Commonwealth of Virginia’s Department of Motor Vehicles and The Neiman Marcus Group. The group is developing a framework of standards and polices that can support interoperability, with input from organizations such as the American Civil Liberties Union and Aetna. The framework must adhere to NSTIC’s guiding principles on privacy, security, ease of use and interoperability.

Those working on NSTIC envision using a trust mark to verify that online identity systems align with NSTIC principles.

Here’s a summary of the three pilots that received NSTIC funding:

Massachusetts-based MorphoTrust received $736,185 to coordinate a pilot that extends driver’s license credentials into the online world. The company has a background in delivering end-to-end solutions for driver’s license and ID issuance. Working with the North Carolina departments of Transportation and Health and Human Services, MorphoTrust will create a digital credential that can be used to apply for the state’s Food and Nutrition Services Program online. “This solution will eliminate the need for people to appear in person to apply for FNS benefits, reducing costs to the state while providing applicants with faster, easier access to benefits,” according to NIST. The solution could be extended to obtain other government services, Grant says.

Confyrm is partnering with “a major Internet email provider, a major mobile operator and multiple e-commerce sites” to demonstrate how these entities can share information about fake online accounts or legitimate accounts that have been hijacked. Email providers can detect when certain accounts aren’t legitimate or have been taken over, but there isn’t a robust method for sharing that information with other organizations. On the other hand, the credit card industry has a method for sharing information. When a credit card has been canceled, most stores are made aware and can decline to accept the card. Grant says the pilot will test the use of an online hub, where information is not stored but rather shared via signals or alerts to certain organizations. Confyrm says it “supports all identity technologies by providing an underlying infrastructure for sharing operational identity events alerts.” The pilot received $1.2 million in funding.

The nation’s four largest wireless carriers are teaming with the organization GSMA to create a common approach for authenticating online transactions using digital credentials. The pilot received $821,948 and will test options that can be used across mobile carriers. One scenario might include the use of a mobile app that could send push notifications when a mobile user logs onto a website. As part of the login process, users would need to approve the notification before gaining access to the website. The pilot will focus on the “user interface, user experience, security and privacy challenges” and ease of use.